Jon,

Thanks for your fast response !!

I have opted for the first option, although i also tried option 2. However, neither seem to be working. We are using Pix version 8.02 for both PIX's

The LAN security is 100

The Servers are 50

The outside of Pix1 is 0

So essentially, the inside int of Pix1 and outside int of Pix2 are both on 50, and i have allowed hosts on the same security level to talk to each other.

For Pix1, i have the following Static routes (if that helps)

route outside 0.0.0.0 0.0.0.0 190.xxx.yyy.1 1

route outside 192.168.5.0 255.255.255.0 LAN 1

(where 190.xxx.yyy.1 is our router/gateway to the internet)

For Pix2, i have the following Static routes

route outside 0.0.0.0 0.0.0.0 192.168.105.1 1

Where 192.168.105.0/24 is the internal IP range of the DMZ

thanks a lot

Ali

Ali

Where are your trying to communicate from and where to ? eg. IP addresses etc.

Have you allowed the access with acl's ?

Could you provide some more detail.

Jon

Sorry Jon, for the confusion

The following apply

LAN - 192.168.5.0/24

DMZ - 192.168.105.0/24

The DMZ IPs translate statically to 190.xxx.yyy.0/24 on the outside int of Pix1. So on the inside we have 192.168.105.0/24

Pix2

Outside interface - 192.168.105.9

Inside interface - 192.168.5.1

We want the hosts on the LAN to be able to talk to the DMZ hosts, which by nature of a firewall it should, as it is outbound. (but it isnt)

We also want communication from 192.168.105.0/24 (DMZ) to the LAN controlled by ACLs (which have been setup)

Internet

|

(190.xxx.yyy.0/24)

|

PIX with Static Nat

|

(192.168.105.0/24) = DMZ

192.168.105.9

|

PIX

|

LAN

Hope this helps

Ali

Ali

What is the default-gateway set to on the servers in the DMZ. If it is set to Pix1

1) Have you enabled hairpinning on that pix - i suspect you have because of your statement "i have allowed hosts on the same security level to talk to each other"

2) Your route -

route outside 192.168.5.0 255.255.255.0 LAN 1

this should read -

route inside 192.168.5.0 255.255.255.0 LAN1

Jon

Jon,

The default gateway for the DMZ is the inside interface of Pix1, 192.168.105.1

1. We did not enable hairpinning as it was a real big issue, and in the end we edited host files for internal communication.

2. I have changed the static route as you have mentioned.

Now, we re getting somewhere. I can TS and ping both ways, from DMZ to LAN and vice versa. I cannot however access the internet from the LAN (but can from DMZ). Both TCP and UDP port 53 are open as well as http inbound on Pix1 and Pix2. I have a DNS server in the DMZ which i have made my DNS server for the LAN host for now. I can ping and TS both ways from and to, but cannot access the web. Perhaps there is still a small config adjustment to be made.

Thanks for your help

Ali

Ali

If you have NAT turned off then your internal addresses will not be changed so they will go out onto the Internet as 192.168.5.x which are not routable. Unless you have a catchall NAT statement on pix that translates all addresses arriving on it's inside interface.

If you don't need you need to modify pix1 to include 192.168.5.x in it's NAT statements so these addresses are Natted to a public IP before going onto the Internet.

Jon

Hi Jon

Thanks for the suggestion, I got internet working, i can TS from LAN to dmz. I cannot ping from LAN to dmz, am i good to assume that this is because ICMP is not stateful connection, and my NAT is setup as follows

nat-control

global (Outside) 1 interface

nat (inside) 1 192.168.5.0 255.255.255.0

In other words, as the ASDM shows, everything on the 192.168.5.0/24 range goes out through the inside interface and is mapped as the Outside interface. The arrow direction is outbound, there is nothing to show, inbound.

If this is the case, can you please advise how I can enable pinging from LAN to DMZ, and further to that if i can allow communication from DMZ to LAN, as this was working when i had no NATting.

Thanks a lot

Ali

Ali

static (inside,dmz) 192.168.5.0 192.168.5.0 netmask 255.255.255.0

then you need to have an acl on the DMZ interface to allow traffic into the LAN. Be careful with the acl, it should follow this logic

1) allow ICMP back to LAN

2) allow any ports from DMZ to LAN you want

3) deny all other traffic from DMZ to LAN

4) Permit all other traffic

without 4) the DMZ will not be able to communicate to other addresses reachable via different interfaces.

Jon

Jon,

OK Thanks, but i am a little stuck.

1) was already in ACL

2) was already configured

3) there is an implicit rule which denies all inbound traffic on IP, after all the ACLs have been implemented. As you know, the outside interface of Pix2 sits in the inside-network/24 of Pix1, hence I assume I can use this implicit rule for 3)

4) Is this to be input into Pix1 or Pix2 ? if so, how do you go about with this rule ?

thanks a lot

Ali

Ali

Have you set up the NAT statement at the start of my last post ie.

static (inside,dmz) 192.168.5.0 192.168.5.0 netmask 255.255.255.0

Jon

Jon, yes i put that in, I ended up with two Nat statements

The first is the one i had, which says all the hosts in the Lan are translated to the IP of the outside interface. This works a treat as it started to allow web access, and TS into the DMZ. It didnt allow pinging because i think ICMP is stateless. (but i could not ping into the LAN as their IPs were being translated to the outside of the Pix2 nor could i TS into the LAN)

When I added your suggestion, that created some confusion in the system, so i removed my NAT stmt and left yours in. This allowed TS and ping both ways but didnt allow access to internet. I have the hosts pointing to a DNS server sittiing in the LAN.

Thanks

Ali

Ali

Is there any chance of posting config of both pix firewalls or at the least the inside pix firewall ?

Jon

Ok Jon, I have attached here the config for the inside Pix.

thanks